For years, "privacy policy" was that link at the bottom of a website nobody clicked on. You copied one from a competitor, swapped the company name, and moved on. Those days are over.

In the past eighteen months, Kenya's Office of the Data Protection Commissioner (ODPC) has shifted decisively. Zuku Fibre was fined KES 500,000 for messaging a former customer. Regus Kenya was hit with a KES 5 million penalty (later reduced to KES 2.5 million on appeal). Platinum Credit paid KES 400,000 for unsolicited marketing calls. And just this month, the ODPC ordered LOLC Kenya to delete a complainant's personal data after posting his images on Facebook without consent.

KES 30 million+ — the total compensation paid out by Kenyan organisations for privacy violations in 2025, according to ODPC data. The regulator has resolved 7,497 complaints out of 7,611 received.

Nairobi city skyline featuring KICC and modern office buildings

Nairobi's growing digital economy is driving stricter data regulation. Photo by Kenny Murgor on Unsplash

If you run a Kenyan business — fintech, school, retail, real estate, anything — the regulatory ground you're standing on looks nothing like it did three years ago. Here's what's changed, and what you need to do.

Why Compliance Just Got Serious

Kenya's Data Protection Act, 2019 came into force on 25 November 2019 — the country's first comprehensive privacy law, closely modelled on the EU's GDPR. For the first few years, the ODPC focused on education and registration drives. That grace period is over.

  • Administrative fines of up to KES 5 million or 1% of annual turnover, whichever is lower. The Data Protection (Amendment) Bill 2025 proposes changing this to "whichever is higher" — a substantial increase for larger organisations.
  • Criminal prosecution of directors and officers for willful violations or for obstructing investigations, with penalties up to ten years imprisonment.
  • Daily fines of up to KES 10,000 for every day a breach remains unrectified.
  • Right of data subjects to seek additional compensation through the courts after ODPC proceedings.

The question is no longer "do we have a privacy policy?" It's "is our organisation structurally compliant?"

What a Real Privacy Policy Looks Like

A privacy policy is not a legal disclaimer — it's the public contract between your business and every person whose data you touch. A compliant policy tells someone, specifically:

  • Who you are — legal name, physical address, contact for data queries
  • What data you collect — not "information you provide," but actual categories
  • Why you collect it — tied to lawful bases (consent, contract, legal obligation, etc.)
  • Who you share it with — payment processors, cloud providers, analytics, marketing tools
  • How long you keep it — "as long as necessary" is not a retention period
  • Cross-border transfers — where data goes and what safeguards apply
  • Data subject rights — access, correction, deletion, objection, portability
  • How to complain — to you, and to the ODPC
Professional reviewing compliance documents on laptop in a modern office

Most businesses discover compliance gaps only during data inventory — that's the right time to find them. Photo by Cytonn Photography, Nairobi, on Unsplash

Three Enforcement Patterns Worth Watching

Marketing after the relationship ends. This is the single most common complaint. Zuku, Regus, Platinum Credit — all three were hit for sending promotional messages to people who had either terminated services or never opted in. If your CRM doesn't reliably honour unsubscribe and deletion requests, this is where you'll get caught.

Using people's images without direct consent. In Esther Kanza Mbuvu v Grain Industries, the ODPC ruled consent must come from the data subject themselves — not from a family member, not from a release form signed years ago. The KES 1,000,000 compensation was a wake-up call for every marketing team in Kenya.

Obstructing investigations. Failing to respond to ODPC notices is now treated as an aggravating factor. In the LOLC matter, the Commissioner recommended prosecution of directors for obstruction. "We never got your notice" is no longer a defence.

💡 The pattern: None of these cases involved hackers, leaks, or major breaches. They were basic compliance failures — failures that a well-built system would have prevented automatically.

Why AI & New Tech Raise the Stakes

The more AI and automation we integrate into business operations, the higher the data protection stakes rise. At Alphawonders, LLM and generative AI integrations are now a core part of what we build — and privacy has to be designed in, not bolted on.

Take SomaSmart, our school management platform with AI tutoring. It processes data belonging to minors — grades, attendance, learning patterns, tutor interactions. Under the DPA, children's data is sensitive personal data by default. That means parental-consent flows, data minimisation, strict retention limits, and deliberate choices about what the AI "remembers" and for how long.

Then there's DukaPOS, our POS system now live for Kenyan retailers. A POS handles customer phone numbers, M-Pesa till records, purchase histories, and loyalty data — all personal data under the Act. A retailer running DukaPOS can honour data subject requests (export, deletion, correction) cleanly because the system was designed for it. A retailer on a patchwork of spreadsheets and WhatsApp messages cannot.

Or OversightIQ, our clinical trials dashboard built for FDA compliance. FDA and DPA don't overlap perfectly — the FDA cares about data integrity and audit trails, the DPA cares about lawful basis and subject rights — but a system built for one is dramatically better positioned for the other. Role-based access, immutable audit logs, and data residency controls from day one.

The Worldcoin case is the cautionary tale. A system not built for Kenyan compliance couldn't be retrofitted fast enough to satisfy the ODPC, and the operational cost of that gap was enormous.

Team collaborating on compliance strategy in modern office

Compliance built into architecture is dramatically cheaper than compliance retrofitted after an enforcement notice.

A Practical Compliance Checklist

If this post is making you nervous about where your business stands, here's a sensible sequence to work through:

  • Do a data inventory. Map every category of personal data you collect, where it lives, who has access, what you do with it, who you share it with.
  • Check your registration status. If your annual revenue exceeds KES 5 million or you're in a mandatory sector (finance, health, telecoms), register with the ODPC at odpc.go.ke.
  • Rewrite your privacy policy to match reality — not the other way around. If you say you don't share data but you use HubSpot and Meta Pixel, the policy is wrong.
  • Fix your consent flows. Pre-ticked boxes out. Bundled consent out. Granular opt-in for each purpose in.
  • Build a data subject request process with a named owner, defined timeframes, and an audit trail. The Zuku fine was fundamentally about this missing process.
  • Run a DPIA on anything high-risk — new AI features, cross-border transfers, large-scale sensitive data processing.
  • Train your staff. Most breaches are human, and most are prevented by training rather than technology.
  • Appoint a DPO if you qualify — required for public bodies, systematic monitoring, or large-scale sensitive data processing.

Building Software? Build in Compliance.

At Alphawonders, every product we ship — from mvacant to SomaSmart to InsideReview — is designed with data protection as part of the architecture, not an afterthought. If you're building or scaling a product in Kenya, let's make sure it's compliance-ready from day one.

Need Help Getting Compliance-Ready?

At Alphawonders, we help Kenyan businesses build cyber security and data protection into their software from day one — from privacy-policy audits to system-level controls and ongoing compliance monitoring. If the ODPC's new enforcement posture has you nervous, let's talk.

Explore Our Cyber Security Services →

The Bottom Line

The Data Protection Act wasn't written to trap businesses. It was written because personal data has real value, real risks, and real consequences when it's mishandled. Every ODPC ruling sends the same message: organisations that treat privacy as first-class will build trust, win customers, and move into regulated markets far more easily than those treating it as a compliance tax.

The businesses struggling right now are the ones that waited. The ones who will struggle next are the ones still waiting. Got questions about where your business stands? Get in touch — we'd be glad to talk it through.

 

Work with Alphawonders →